Wyze shared more details on a security incident that impacted thousands of users on Friday and said that at least 13,000 customers could get a peek into other users’ homes.
The company blames a third-party caching client library recently added to its systems, which had problems dealing with a large number of cameras that came online all at once after a widespread Friday outage.
Multiple customers have been reporting seeing other users’ video feeds under the Events tab in the app since Friday, with some even advising other customers to turn off the cameras until these ongoing issues are fixed.
“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or events during that time you likely weren’t able to. We’re very sorry for the frustration and confusion this caused,” the company says in emails sent to affected users.
“As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. We immediately removed access to the Events tab and started an investigation.”
Wyze says this happened because of the sudden increased demand and led to the mixing of device IDs and user ID mappings, causing the erroneous connection of certain data with incorrect user accounts.
As a result, customers could see other people’s video feed thumbnails and, in some cases, even video footage after tapping the camera thumbnails in the Wyze app’s Events tab.
“We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. We’ve identified your Wyze account as one that was affected,” the company says in emails sent to affected users.
“This means that thumbnails from your Events were visible in another Wyze user’s account and that a thumbnail was tapped. Most taps enlarged the thumbnail, but in some cases it could have caused an Event Video to be viewed.”
Wyze has yet to share the exact number of users who had their video surveillance feeds exposed in the incident.
The company has now added an extra layer of verification for users who want to access video content via the Events tab to ensure that this issue will not happen in the future.
Additionally, it adjusted systems to avoid caching during user-device relationship checks until it can switch to a new client library capable of working correctly during “extreme events” like the Friday outage.
Source: www.bleepingcomputer.com